Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are You Using 802.1X?

Posted by Cliff on from the solving-the-problems-of-802.11 dept.

WirelessMan asks "I work for a certain university in the US, and our IT department has just deployed IEEE 802.1x authentication for our wireless network. One of the benefits is that all users' sessions are encrypted using tumbling WEP keys. One of the (major) drawbacks is the 'newness' of 1x. As far as I can tell (Google, etc) there aren't a whole lot of places out there who have taken the plunge. Google it, or check out this brief description. Does the Slashdot community have any experience with 1x?"

"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.

As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"

4 of 239 comments (clear)

  1. Testing... Testing... by ErikTheRed · · Score: 4, Interesting
    "Looks like the network guys did their homework..."

    Did "homework" include a reasonable test implementation? Anything that affects your infrastructure in such a drastic way should probably be banged on for several weeks with at least a dozen guinea pigs (assuming you don't have a test lab in these days of cost cutting).
    --

    Help save the critically endangered Blue Iguana
  2. Purdue's Solution by mjlizzad · · Score: 5, Interesting

    Take a look at what Purdue University does. They use a Cisco VPN client that is available on win/mac/linux/sun, and ties in with the student accounts to verify access. If you aren't using the VPN client, you are redirected to download it automagically. http://www.itap.purdue.edu/airlink/ This is the best solution I have seen.

    1. Re:Purdue's Solution by Anonymous Coward · · Score: 5, Interesting

      Actually, the VPN solution, while effective, can be a management pain in the butt -- especially if you have users that wander from AP to AP that may or may not service the same subnet. Plus, almost always its going to be a proprietary solution of some sort, meaning you're locked into a vendor and may face future compatibility issues.

      With 802.1x properly implemented, there's little reason to continue using VPN. I have seen a combination of VPN and .1x, but that is merely because using plain WEP doesn't meet DoD standards for encryption of unclassified data over an open medium.

  3. Re:Another Question... by galimore · · Score: 4, Interesting

    Check out the open1x project.

    http://open1x.sourceforge.net

    I'm not only a client, I'm also a developer. ;)